Yes, you should be worried. This is not a standard practice in any secure network environment. No access should be granted through the firewall to connect to an outside vendor. Instead, you must create a separate DMZ outside your private/protected space that will allow access to the other company. Use a machine within your DMZ or another DMZ just for this purpose, terminal service into that device and then VPN.
This will protect your company and allow much greater control over the device in case of malicious code, hack attempts or data coming back from the other company.
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in September 2003